Connect-MgGraph auth token unusable when -UseDeviceCode

[lsnliu]

Describe the bug

I'm trying to use connect-mggraph with -UseDeviceCode. The auth is successful but all subsequent commands fail with DeviceCodeCredential authentication failed: Object reference not set to an instance of an object. All tested commands are successful without the -UseDeviceCode flag

Expected behavior

-UseDeviceCode should work

How to reproduce

1. Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome -UseDeviceCode
2. Get-MgServicePrincipal -Filter "displayName eq 'some app name'"

SDK Version

2.34

Latest version known to work for scenario above?

Not sure, first time doing this and 2.34 was the version used.

Known Workarounds

None

Debug output

Click to expand log

PS C:\managed_identity_permissions> Get-MgServicePrincipal -Filter "displayName eq '$DisplayNameOfApp'" -debug
DEBUG: [CmdletBeginProcessing]: - Get-MgServicePrincipal begin processing with parameterSet 'List'.

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): A
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'DeviceCode', ContextScope: 'CurrentUser',
AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [Application.Read.All, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All,
DelegatedPermissionGrant.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Group.Read.All, openid,
Policy.Read.All, Policy.ReadWrite.PermissionGrant, profile, RoleManagement.Read.All, Sites.FullControl.All,
Synchronization.ReadWrite.All, User.Read, User.ReadWrite.All, email].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/servicePrincipals?$filter=displayName eq 'test1'

Headers:
FeatureFlag                   : 00000003
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26200;
en-AU),PowerShell/5.1.26100.7462

Body:


DEBUG: [CmdletException]: Received exception with message 'AuthenticationFailedException - DeviceCodeCredential
authentication failed: Object reference not set to an instance of an object. :    at
Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean
isCredentialUnavailable)
   at Azure.Identity.DeviceCodeCredential.<GetTokenImplAsync>d__44.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Identity.DeviceCodeCredential.<GetTokenAsync>d__41.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at
Microsoft.Kiota.Authentication.Azure.AzureIdentityAccessTokenProvider.<GetAuthorizationTokenAsync>d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at
Microsoft.Graph.PowerShell.Authentication.Handlers.AuthenticationHandler.<AuthenticateRequestAsync>d__13.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Graph.PowerShell.Authentication.Handlers.AuthenticationHandler.<SendAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Graph.PowerShell.Applications.<ServicePrincipalListServicePrincipal_Call>d__1015.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.Graph.PowerShell.Applications.<ServicePrincipalListServicePrincipal_Call>d__1015.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Graph.PowerShell.Applications.<ServicePrincipalListServicePrincipal>d__1013.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Graph.PowerShell.Cmdlets.GetMgServicePrincipal_List.<ProcessRecordAsync>d__92.MoveNext()'

Confirm
DeviceCodeCredential authentication failed: Object reference not set to an instance of an object.
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): A
Get-MgServicePrincipal : DeviceCodeCredential authentication failed: Object reference not set to an instance of an object.
At line:1 char:1
+ Get-MgServicePrincipal -Filter "displayName eq '$DisplayNameOfApp'" - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-MgServicePrincipal_List], AuthenticationFailedException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgServicePrincipal_List

Configuration

Name                           Value
----                           -----
PSVersion                      7.5.4
PSEdition                      Core
GitCommitId                    7.5.4
OS                             Microsoft Windows 10.0.26200
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Other information

No response

[lsnliu]

For context, device code is required as our org has a funny auth issue that prevents login of the admin account on our default browsers (it's not explicitly disallowed, just when it is completed, the redirect goes back to the normal account attached to the OS).

As such, it must be done in private browsing and the auth pop ups from connect-mggraph can't be configured to use private browsing AFAIK.

[SOM-Scott]

Having the same issue since -Environment USGov is broken v2.34.0

[gavinbarron]

@lsnliu thanks for reporting this. I'll admit I'm a bit puzzled as I can still sign-in using the Device Code Flow.

Are you running the PowerShell process as the user logged into Windows?

Does this reproduce when running Disconnect-MgGraph followed by Connect-MgGraph or only when running additional cmdlets?

[lsnliu]

@gavinbarron thanks for picking this up:

• The issue can be reproduced reliably even after Disconnect-MgGraph
• Connect-MgGraph has no issues and no errors. Only additional cmdlets have this issue.
• The issue only exists when the user being used for Connect-MgGraph is NOT the same as the windows user.
• The issue does not exist when --UseDeviceCode flag is not added, even when the user is NOT the same as the windows user.

Hope this helps

[jesusfermsft]

I can reproduce the same with the same versions as OP.